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Introduction to IPv6 concepts 






Rolling out IPv6:A brief example how-to 

IPv6 - IPv4 compare and contrast 

Considerations for mapping IPv4 policies to 
IPv6 
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None of this is optional 

The choice isn't, "Do IPv6 or not do IPv6. 

The choice is, "Secure it or don't secure it. 
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We've been here before. 












The genesis of the internet was the 
ARPAnet project, awarded to BBN in 1969 

ARPAnet's IMP protocol used 8 bit 
addresses. 

Maximum 256 nodes. 

Probably enough, right? 
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ARPAnet 



Computer History Museum, 2008 
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ARPAnet 



Computer History Museum, 2008 
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Turns out that didnt end we II. 
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An 8 bit address space isn't sufficient for 
the internet. 
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January I, 1 983: "Flag day" 

IMP -> TCP/IP 

• Entire network shut down at the same 
time 

1 Rebooted and reconfigured into TCP/IP 
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Vint Cerf, APRICOT, Feb 201 
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Vint Cerf did not actually say this 
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32 bits -About 4 billion addresses 
Can't use all of them (subnetting) 
Think of it as 16 million /24 networks 
It took us 28 years to consume them all 
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Geoff Huston, http://potaroo.i 
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ISPs have "stock" of addresses 



Can also recover addresses by renumbering 
old allocations more efficiently 

Can also recover addresses by redefining 
services 

So we still have some left 
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<what> 
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Protoco 



application 



application 
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IPv4 addresses: 32 bits, looks like 

192.168.123.234 






• Four decimal octets separated by "dots 
IPv6 addresses: 128 bits, looks like 

2001 : 44b8 : 80 : 12a6 : cO : f fee : deadibeef 

• Eight hexadecimal hextets separated by 
colons 
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net masks 



IPv4: Netmask accompanies address, often in 
decimal form (255.255.248.0^ 



► Count the number of I's in the binary 
netmask to convert to CIDR notation 

255.255.248.0 = 12 1 , 255.255.255.0 = /24 

IPv6:Always use CIDR, usually on 16 bit 
boundaries (i.e., where the colons are) 

1 /32, /48, /64 are the most common masks 
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Imagine a /64 subnet: 







Bit Position /1 6 /32 /48 /64 /80 / 

2001 : 44b8 : 80 : 1234 : cO : f f ee 



Network address Interface Identifier 
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IPv4: Sending a packet to the "all-ones" 
address in a subnet produces a broadcast. 

IPv6: No such thing as a broadcast. 

Heavy reliance on multicast for everything 
that requires the interaction of more than 
two nodes. 

Multicast is built in. Are you familiar with it? 
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In the IPv4 worldrTCP and UDP are the 



. 



most common 



A 

-4 protocols 



• ICMP is used for "control plane" functions 

In the IPv6 worldrTCP and UDP are the 
same as they are in IPv4 

> ICMP6 is used for "control plane" 
functions ~ more important than v4 ICMP. 
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IPv4: Almost all addresses are assigned statically 
(configuration on the host) or via DHCP. 

IPv6: Almost all addresses are assigned dynamically 
using a method intrinsic to the protocol - SLAAC. 

DHCPv6 is still available, but differs in several 
important areas from IPv4 DHCP 

Having multiple addresses on one host is totally 
normal and expected. 
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dst: fe80:: 1 23:bff:f4 1 7:900; 
tocol: ICMP6 
ssage-type: RA 



src:fe80::l23:bff:f4l7:900a 
dst: ffO I ::2 
protocol: ICMP6 
message-type: RS 



f df f : f ee7 : bf 9b : ef 75 
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Static configuration and DHCP assignment 
are also available (not often used) 

A flag in the RA message indicates to the 
host whether DHCP should be used 

> (so the router needs to know - unlike v4) 

Duplicate Address Detection (DAD) 
automatically rectifies cases where dynamic 
addresses collide. 
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<how> 
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Transition 



• GOAL: To run IPv4 and IPv6 



simultaneously over the same 
infrastructure. 

• "dual stack" 
> Start at the outside, work inwards. 
• No need to do the whole network at once 



Monday, 23 May 201 1 




ransition 
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Transition 



The core network took slightly over a month 









A few low-impact changes during 
maintenance windows a couple of times per 
week. 

After the first few routers were done, the 
rest "ran on rails" 

We make heavy use of configuration 
automation (no human hands touch our BGP) 
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Further work 



Carrying out a multi-year project to dual- 
stack all applications and service offerings 

All of the enterprise, NBN and ADSL CPE 
sold by Internode now support native IPv6 

Customer, media and community education 
and outreach aimed at an informed 
transition 
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<think> 
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IPv6 is new, still working some of this 



through 



IPv4 is old, we're still working it through 
there too 

Key point: nobody has all the answers yet, 
but that oughtn't be any more alarming 
than the status quo 
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Some random security 
related highlights which 
I've brainstormed 

"Please consider..." 



I SHARE 
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space 



IPv4 has "engineering address space", 
RFC- 1 597 

IPv6 has no equivalent (ULA doesn't 
count). 

All addresses are public. Yes, all of them. 

So what about inside the firewall? 
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You won't have NAT. 



' % • ' > * ." 






You might think you'll get NAT if you yell 
loudly enough at your vendor 

But you'll be wrong. You won't have NAT. 

You'll still have stateful inspection firewalls 

But no NAT. Get used to it, get over it, NAT 
is gone. All addresses are public. 
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Have a think about what NAT is doing for you 
What security policy objectives is it serving? 

NAT hides your internal network from the 
outside world. 

Why? Doesn't your firewall do that anyway? 



I can tell you what your internal network 
looks like anyway: It's the same as everyone 
else's, unless you're a maniac. 
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Does your firewall support IPv6? 

Does your IDS understand IPv6 packets? 

Have you enabled v4 AND v6 controls on your 
hosts? (e.g., routerVTY access lists) 

Are you capable of applying the same perimeter 
security policy across both IPv4 and IPv6 
simultaneously? 

Remember: Hosts will run both protocols, need 
protection on both protocols. 
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It simply isn't possible to scan an IPv6 
subnet. 






/64 subnets contain 
8,446,744,073,709,55 1,616 addresses 

4 billion times larger than IPv4 Internet 
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At 1000 addresses per second, it'll take about 
6 million years to scan one subnet 
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Perhaps that works to your advantage: Attackers 
can't scan you. Another reason you don't need 
NAT... 



Do attackers care whether they can scan you 
anyway? 

> They have lots of other ways of finding your 
end users' addresses 



So perhaps it won't make any difference to them 
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A CRYPTO MOLD'S 
irvGlNflrriOhJS 



His laptops yncrvpted. 

LETS SJ/LD A MIUIO^'POOAR 

Cujstc* TO CftflCK it 



no good! rr's 

40% -SIT RSA\ 



BflSn WR 
eVILPtWJ 
IS FoltED! 




what would 

ACTUALLY HttPPEN; 



H'S LAPTOP'S EUeWPTED. 
DRUG HIM AND HTT HIP"! WlfH 
THIS fS WREWCH UNTIL 
HE. TtUS US THE. PASSWORD. 




XKCD.com 
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Turns out attackers aren't trying to scan IPv6 






IPv6 darknet research has been carried out 
Geoff Huston, Chief Scientist,APNIC: 

httto:// www.tootaroo.net/istocol/ 20 1 0-07/dark6.html 



So perhaps IPv6 will kill at least some aspect of 
black-hat scanning on the public internet? 
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You can't scan your own networks either 

Do your PCI-DSS agreements with banks 
require you to scan? Better check it out, 
get them amended 
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EU 1-64 "interface identifier" never changes 






■ I 






A device may have the same 64 bit suffix at home, 
work, VPN, 3G,WiFi hotspot, etc 

Built-in tracking token! Even if you use NAT! 

Do you want blackhats/govts/competitors/Google 
to be able to track you? Your staff? Your CEO? 

Consider RFC-494 1 privacy extensions if you can 
(some platforms: off by default, not always available) 
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We all know about "rogue DHCP servers" 

Dynamic address allocation is built-in to the 
IPv6 protocol suite 

» ... so now we have to worry about rogue 
RAs. 

Anyone can send ICMP6 RA messages. 

Does your switch vendor support ra-guard? 

httD://tools.ietf.org/html/draft-ietf-v6oDS-ra-2uard-08 
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Man in the middle attacks 



Where s traffic actually going on public WiFi 
hotspots? Is your default router legitimate? 

Lots of tools here, mostly related to RA 
spoofing: 

httD.7/www.darknet.or2.uk/20 1 0/07/thc-iDv6- 



toolkit-attacking-the-iDv6-Drotocol/ 



Monday, 23 May 201 1 






Blocking ICMP at your firewall? 






Please stop. ICMP6 is not optional. 

Path MTU discovery, flow control, basic reachability. 

If you must block it, carefully filter specific ICMP6 
message types (think why? what're you trying to 
achieve?) 

RFC-4890:"ICMPv6 Filtering Recommendations." 
httD://www.ietf.org/rf c7rfc4890.txt 
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Are you running IPv6 on your enterprise network yet? 

How do you know? 

"Transition technologies" - automatic tunnelling 

It's out there, many of your hosts will be doing it by 
default. Under whose security policy? (Hopefully 
yours) 

"Since the victims aren't using IPv6, they won't be 
expecting an attack that makes use of it." 
httD://resources.infosecinstitute.com/slaac-attack/ 
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Security policy consistency 
v6 policy should be the same as IPv4 

Where that isn't possible, design alternatives, 
change policy, consider threat model 
differences, etc. 

Almost all differences are at layer-3 and below. 

but exbect wrinkles. 
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Questions? 




Mark Newton, Internode 
newton(Q)internode.com.au 



NewtonMark 




ICflNHFlSCHEESEUReER.COM 



All images in this presentation are owned by the author, or sourced from Google image search restricted to images labelled to permit reuse 
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